DNSMap

DNSmap works a bit differently from the tools we looked at in the previous sections. DNSmap attempts to enumerate the subdomains of an organization’s domain name by querying a built-in wordlist on Kali Linux. Once a subdomain has been found, DNSmap will also attempt to resolve the IP address automatically. enums_1


sublist3r

You can leverage the power of search engines for discovering sub-domains by using the Sublist3r tool. Sublist3r is a Python-based tool that is used to enumerate (extract/obtain) the subdomains of a given website using OSINT, such as search engines and other internet indexing platforms.

  1. Install sublist3r
sudo apt update
sudo apt install sublist3r
  1. Running sublist3r
sublist3r -d microsoft.com
  1. Use this command to add the results into a file enums_2
  2. Or you can simply do this:
sublist3r -d target_domain 2>1 /dev/null > subdomains.txt

2>1 this will transfer all the errors caused by the command to /dev/null which is a black hole in linux, then outputting > the results into a file. enums_3 5. Edit the txt file, and adjust the first 4 entries, remove the comma and then separate two subdomains like this

microsoft.com anotherdomain.com

Sub-domain discovery using knockpy:

Knockpy is a Python-based tool that is used to enumerate (extract/obtain) the sub-domains of a targeted public domain using OSINT techniques and data sources, such as search engines and other internet indexing platforms.

  1. Installation:
sudo apt update && sudo apt install -y knockpy

enums_4 2. USAGE:

knockpy --recon --dns 8.8.8.8 -d microsoft.com
Note

The --recon syntax specifies to perform sub-domain enumeration, --dns syntax enables you to specify a custom DNS server to query, and -d specifies the targeted domain.